diff --git a/mail-server/rspamd.nix b/mail-server/rspamd.nix
index 7121a46..5c0f315 100644
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@@ -169,7 +169,7 @@ in
 
     };
 
-    services.redis.servers.rspamd.enable = lib.mkDefault true;
+    services.redis.servers.rspamd.enable = lib.mkDefault cfg.redis.configureLocally;
 
     systemd.tmpfiles.settings."10-rspamd.conf" = {
       "${cfg.dkimKeyDirectory}" = {
@@ -204,9 +204,11 @@ in
       # Explicitly select yesterday's date to work around broken
       # default behaviour when called without a date.
       # https://github.com/rspamd/rspamd/issues/4062
-      script = ''
-        ${pkgs.rspamd}/bin/rspamadm dmarc_report $(date -d "yesterday" "+%Y%m%d")
-      '';
+      script = toString [
+        (lib.getExe' pkgs.rspamd "rspamadm")
+        "dmarc_report"
+        "$(date -d 'yesterday' '+%Y%m%d')"
+      ];
       serviceConfig = {
         User = "${config.services.rspamd.user}";
         Group = "${config.services.rspamd.group}";
@@ -235,10 +237,14 @@ in
         RestrictAddressFamilies = [
           "AF_INET"
           "AF_INET6"
+          "AF_UNIX"
         ];
         RestrictNamespaces = true;
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
+        SupplementaryGroups = lib.optionals cfg.redis.configureLocally [
+          config.services.redis.servers.rspamd.group
+        ];
         SystemCallArchitectures = "native";
         SystemCallFilter = [
           "@system-service"